Skip to content

[AVM Module Issue]: certificateKeyVaultProperties in App Managed Environments appears unusable (aka container app environment) #3855

New issue
New issue
Open
#4682
Open
[AVM Module Issue]: certificateKeyVaultProperties in App Managed Environments appears unusable (aka container app environment)#3855
#4682
Assignees
hundredacres
Labels
Class: Resource Module 📦This is a resource moduleType: AVM 🅰️ ✌️ Ⓜ️This is an AVM related issue
@christianacca

Description

@christianacca
christianacca
opened on Nov 28, 2024

Check for previous/existing GitHub issues

  • I have checked for previous/existing GitHub issues

Issue Type?

I'm not sure

Module Name

avm/res/app/managed-environment

(Optional) Module Version

0.8.1

Description

I have a working bicep infra-as-code script working just nicely to create an Container App environment (CAE) that imports a certificate from key vault, and a Container app that has a custom domain that's bound to this certificate from this CAE

At the time I wrote the bicep, certificateKeyVaultProperties had not made available in the App Managed Environments verified module. And so I used the "raw resource" instead. Now that certificateKeyVaultProperties was added in #2719, I thought I'd go and replace my usage of the raw resource with the AVM.

Problem is that when I run the bicep from scratch (ie where there is no previous managed environment or container app), this fails trying to create the container app, saying that the certificate cannot be found in the managed environment.

When I go and look at the managed environment in the azure portal that did get created, I don't see the certificate listed in "Bring your certificates" section. Hence the container app creation fails.

So now I am at a loss to know how to successfully/correctly use certificateKeyVaultProperties in the App Managed Environment module. Any assistance would be welcome, as I'm really trying hard to onboard as many resource to AVM as I can, and this issue is holding up that effort.

For reference below are the relevant extracts taken from both the original working bicep, and the new bicep that attempts to use the AVM

Also, the PR where I make the switch to AVM for managed environment: https://github.com/christianacca/web-api-starter/pull/23/files

bicep using raw resource - working

// aca-environment.bicep

param instanceSettings object
param sharedSettings sharedSettingsType

var kvSettings = sharedSettings.certSettings.KeyVault
resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: kvSettings.ResourceName
  scope: resourceGroup(kvSettings.SubscriptionId, kvSettings.ResourceGroupName)

  resource cert 'secrets' existing = { name: sharedSettings.certSettings.ResourceName }
}

resource acaEnv 'Microsoft.App/managedEnvironments@2023-11-02-preview' = {
  name: instanceSettings.ResourceName
  location: location
  properties: {
    // SNIP
    workloadProfiles: [
      {
        name: 'Consumption'
        workloadProfileType: 'Consumption'
      }
    ]
    zoneRedundant: false
  }

  resource acaEnvCert 'certificates' = {
    name: sharedSettings.certSettings.ResourceName
    location: location
    properties: {
      certificateKeyVaultProperties: {
        identity: sharedSettings.managedIdentityResourceId
        keyVaultUrl: kv::cert.properties.secretUri
      }
    }
  }
}

// =============== //
//   Definitions   //
// =============== //


type sharedSettingsType = {
  certSettings: object
}

Full listing: aca-environment.bicep

// api.bicep (container app)

param instanceSettings object
param sharedSettings sharedSettingsType

module api 'br/public:avm/res/app/container-app:0.4.1' = {
  name: '${uniqueString(deployment().name, location)}-AcaApi'
  params: {
    containers: [
      {
        env: appEnvVars.outputs.desiredEnvVars
        image: appImage
        name: instanceSettings.ResourceName
        // SNIP
      }
    ]
    customDomains: [
      {
        name: apiHostName
        certificateId: acaEnv::cert.id
        bindingType: 'SniEnabled'
      }
    ]
    environmentId: acaEnv.id
    // SNIP
    workloadProfileName: 'Consumption'
  }
}

resource acaEnv 'Microsoft.App/managedEnvironments@2023-11-02-preview' existing = {
  name: instanceSettings.AcaEnvResourceName
  resource cert 'certificates' existing = { name: sharedSettings.certSettings.ResourceName }
}

// =============== //
//   Definitions   //
// =============== //

type sharedSettingsType = {
  certSettings: object
  // SNIP
}

Full listing: api.bicep

bicep using AVM - broken

// aca-environment.bicep

param instanceSettings object
param sharedSettings sharedSettingsType

var kvSettings = sharedSettings.certSettings.KeyVault
resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: kvSettings.ResourceName
  scope: resourceGroup(kvSettings.SubscriptionId, kvSettings.ResourceGroupName)

  resource cert 'secrets' existing = { name: sharedSettings.certSettings.ResourceName }
}

module acaEnv 'br/public:avm/res/app/managed-environment:0.8.1' = {
  name: '${uniqueString(deployment().name, location)}-AcaEnv'
  params: {
    name: instanceSettings.ResourceName
    certificateKeyVaultProperties: {
      identityResourceId: sharedSettings.managedIdentityResourceId
      keyVaultUrl: kv::cert.properties.secretUri
    }
    // SNIP
    workloadProfiles: [
      {
        name: 'Consumption'
        workloadProfileType: 'Consumption'
      }
    ]
    zoneRedundant: false
  }
}

// =============== //
//   Definitions   //
// =============== //


type sharedSettingsType = {
  certSettings: object
}

Full listing: aca-environment.bicep

// api.bicep (container app)

// NO CHANGE - see above

(Optional) Correlation Id

No response

Metadata

Metadata

Assignees

Labels

Class: Resource Module 📦This is a resource moduleType: AVM 🅰️ ✌️ Ⓜ️This is an AVM related issue

Type

No type

Projects

AVM - Module Issues

  • Status

    Needs: Triage

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions